/cosmos-sdk-codeql

A query suite for common bug patterns in Cosmos SDK-based applications

Primary LanguageCodeQLApache License 2.0Apache-2.0

cosmos-sdk-codeql

A query suite for common bug patterns in Cosmos SDK-based applications.

Passive Maintenance

This repository is in a passive maintenance mode: it is not actively developed, but we will accept pull requests and issues. It may, however, take some time to respond.

Usage

In CodeQL CLI, you can download it using the following command:

$ codeql pack download crypto-com/cosmos-sdk-codeql@0.0.7

See more details in the CodeQL CLI documentation.

In order to add the extra queries to the CI pipeline, you can use the queries or packs option in the CodeQL initialization:

#...
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v2
      with:
        languages: 'go'
        queries: crypto-com/cosmos-sdk-codeql@v0.0.7, <...other queries...>
#...

See more details in the GitHub Code Scanning documentation.

False Negatives

The queries have heuristics based on the usage in the Cosmos SDK codebase to reduce false positives. They may, however, lead to false negatives: for example, if you used "client" package's code parts (that may be ignored by queries) in consensus-critical sections, related bugs from ignored packages may not be uncovered by queries. If you are worried about false negatives in particular queries, you can open an issue to discuss the query change. Alternatively, you can tweak the query and either execute it manually from time to time, or add the tweaked query to your CI scanning action.

False Positives

The queries over-approximate and may lead to false positives. If you encounter a false positive, you can do the following:

  1. you can dismiss the false positive alerts in the Security tab on GitHub;
  2. if see a repeating pattern of false positives, you can open an issue to discuss the query improvement;
  3. alternatively, if you cannot dismiss alerts in the Security tab on GitHub, some of the queries will ignore findings that have an explicit comment (starting with "SAFE:") that explains why it is safe to ignore that bit of code. The comments can be placed either on the preceding line or on the enclosing function:
// SAFE: ...explanation why findings in this function are false positives...
func myFun(...) {
   ...
}

func myFun2(...) {
  ...
  // SAFE: ...explanation why this particular finding is a false positive...
  myVar := ...
  ...
}